depGraph

Architecture Overview

A technical deep-dive into DepGraph's stack, data flow, and infrastructure decisions.

Tech Stack

LayerTechnology
FrontendNext.js 14 (App Router)
DatabasePostgreSQL (Supabase)
CacheRedis (Upstash)
AuthNextAuth.js + GitHub OAuth
HostingVercel
PaymentsRazorpay
EmailResend

Data Flow

From a single CLI command to a fully scored report:

bash
User: npx depgraph-scanner check


CLI reads package.json / package-lock.json


POST /api/scan Auth: API key or session


Check Redis cache (24hr TTL per package)
   HIT return cached scores instantly
   MISS fetch signals in parallel:
           GitHub API   (commits, contributors, issues)
           npm registry (downloads, metadata)
           OSV.dev      (CVE data)


Score engine computes health score (0–100)


Store in PostgreSQL + Redis


Return scored report
 CLI       (terminal output)
 Dashboard (web UI)

Caching Strategy

All upstream signals are aggressively cached to stay within GitHub API rate limits and minimise latency.

DataTTLRedis Key Pattern
Package score24hpkg:score:npm:{name}
GitHub signals6hgithub:repo:{owner}:{repo}
npm metadata12hnpm:meta:{name}
OSV data24hosv:npm:{name}
Full scan report1hscan:report:{lockfileHash}

Rate Limits

  • GitHub API: 5,000 req/hr (authenticated) — queue pauses at < 100 remaining
  • npm registry: No auth required, generous limits
  • OSV.dev: Free, no auth required

Deployment

  • Web: Vercel — auto-deploys from main
  • Cron: Vercel Cron — GET /api/cron/daily-tasks at 08:00 UTC daily
  • Environment: See .env.example in the repo for all required variables